Hi
I installed as administrator avast home on my laptop - XP prof
when I log with another username (with administrative rights) the computer freezes:
The clock on the system tray appears
The Avast! blue icon does not appear
It is impossible to:
select an icon in the desktop
open the start menu
but it is possible to:
press ctrl-alt-del and the disconnect (or stop the system)
after six-seven disconnect-reconnect it may happens that the system start
very often when I stop the system I receive the message that a process does not stop asking me if I want to terminate it
the process is ‘explorer.exe’ or ‘IEXPLORE.EXE’
this behavior disappear when I uninstall avast
this happens either logged as administrator or as the other unluck user (that is the main user of the laptop)
I search in your FAQ-Forum so:
I uninstalled avast in safe mode from the ctrl panel->Add Remove Programs->Avast->Uninstall
I restarted and I execute the aswclear.exe utility
I restarted again and then re installed avast!
I restarted again and logging as the user the problem still remains
Avast! is the first and only antivirus I ever installed in this system
this problem starts about one week ago
The version is Home
No antivirus is installed (except for avast! obviously)
No security programs are installed
The system is XP Prof SP 1
I execute a search in my local disk and the only IEXPLORE.EXE is the executable of Internet Explorer located in
%PROGRAM_DIR%\Internet Explorer
I have a IEXPLORE.EXE-1BA17782.pf in my windows\Prefetch dir and it is modified today
I do not start explicitly the process by miself but
I noticed that
A-I log as Administrator
B-I check the active process and no IEXPLORE.EXE exists
C-I start manually the virus definition update of avast!
D-The process of update ends
E-I check the active process now and IEXPLORE.EXE is there, the user name is Administrator
F-After a few minutes I check again the active process and IEXPLORE.EXE is disappeared
G-the system stops normally
so I restart and repeat this process til point E
now I stop the system immediately after the avast! update
It appears the windows ‘the system is closing the program IEXPLORE.EXE’ where I can hit the button ‘Terminate immediately’ (I’m sorry but my system is italian and my translation could be poor)
No harm. This is the prefetch file, made by Windows in order to ‘accelerate’ the application load.
avast does NOT start iexplore.exe process to update… no…
You should run a full avast scanning, better at boot time.
Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
Better if you can download, install, update and run www.ewido.net too.
I scanned the system with Ewido and it found
trackingCoookie.Atdmt
trackingCoookie.Tribalfusion
I noticed that every time I start IE this cookie remanifests themselves
I avoided this changing my startpage from msn to google
anyway the ‘not called’ process IEXPLORE.exe often appears in my process list
Avast bootscan found
some adware.generic in c:\system volume information_restore(hexnumbers)
this is the output of hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 15.45.06, on 29/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft's windowsupdate site to download the newest version of the service pack.
We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.
With an out of date OS you are liable to exploits from vulnerabilities that have long since been patched by MS.
With no active firewall you are also liable to numerous malware infestations.
Both of the above are going to make your system vulnerable and any resolution more difficult.
It is correct that it should be in system32 as is shown to be correct in the early part of HJT log ‘C:\WINDOWS\System32\svchost.exe’ so yes the location of this is also suspicious, I’m not sure if this could be a remnant of an earlier OS update from win98 say, but perhaps not as it would probably be in the windows\system folder.
There have been 2 or 3 VPS updates since you first posted. If you haven’t done any scans since your first post please make sure you have the latest update and try another boot scan.
If avast! still doesn’t identify anything see if you find c:\windows\svchost.exe on your computer. If found, send a sample to Jotti
sent svchost.exe (in C:\windows) to jotti and this is the result
AntiVir Found Heuristic/Hijacker (probable variant)
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing BitDefender Found BehavesLike:Win32.ExplorerHijack (probable variant)
ClamAV Found nothing Dr.Web Found MULDROP.Trojan (probable variant)
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
edit Prior to doing the above, zip and password protect a copy of svchost.exe and email it to virus@avast.com. Put a short explanation that this is a possibly undetected trojan in the email along with the password, then run Dr. Web Cure It.
this is the result of dr web
A0007919.exe C:\System Volume Information_restore{6AD47CF3-1EAA-4E54-B404-D4D37EBBFA15}\RP64 Probably BINARYRES
svchost.exe C:\WINDOWS Probably BINARYRES
service32[1].exe C:\Documents and Settings%USERNAME%\Impostazioni locali\Temporary Internet Files\Content.IE5\WLKJ83GV Probably BINARYRES
Did Dr. Web put c:\windows\svchost. exe in quarantine?
If it did then do as Tech said about turning off System Restore - this will delete all your restore points which is the only way to get rid of the infection hiding there. You can turn system restore on again later.
Also delete the temporary internet files. I like CleanUp for this since it will mark files for deletion on reboot if necessary
If you use CleanUp make sure the Delete Prefetch Files option is not checked (deleting these can temporarily slow your computer).
Scheduling an avast! boot scan is fine if you want to do this but, since avast! hasn’t been identifying the problem, I would either substitute another Dr Web scan for Tech’s step #3 or add Dr Web as step #5. In either case you need to reboot first.
You can enable system restore at any point after the Dr Web scan if you wish as long as you are coming up clean.
